Will TLSv1.3 always send session ticket?

Viktor Dukhovni openssl-users at dukhovni.org
Thu Sep 16 16:20:05 UTC 2021

On Thu, Sep 16, 2021 at 10:05:44AM +0100, Matt Caswell wrote:

> No. Unless you configure the server otherwise OpenSSL will always send 
> session ticket(s) in TLSv1.3.

It may be worth mentioning a discussion from some time back on the TLSWG
list started by David Benjamin that notes that in TLS 1.3 it is not
always opportune for the server to send post-handshake session
resumption tickets unless it is also sending some application data.

If the application protocol in question has the client sending first and
delivering a large request to the server before attempting to read a
response, an "unsolicited" transmission of session tickets from server
to client may cause an application protocol deadlock if the client's TCP
window is not large enough to accommodate the session tickets withour
any client-side reads.

This situation can with some justification be argued to be a defect in
the TLS 1.3 protocol.

I don't recall whether OpenSSL makes any effort to or supports deferring
the transmission of session tickets until just before the first
application data transmission from server to client (or else perhaps
just before responding to a received close-notify with a reciprocal


More information about the openssl-users mailing list